Skip to main content
Borg Galea & Associates

Compliance Audit Malta: Find the Gaps Before the FIAU Does

FIAU penalties run from €1,000 to €46,500 per breach — and directors face personal liability. A compliance audit identifies where your AML, regulatory or tax obligations are falling short, so you can fix issues on your terms rather than under enforcement pressure.

  • AML/CFT, MFSA regulatory and tax compliance audits in a single engagement
  • Covers CDD processes, STR reporting, beneficial ownership and risk assessments
  • Identifies gaps before FIAU or MFSA supervisory examinations
  • Actionable remediation plan with clear timelines and responsibility assignments

Practising auditors and compliance professionals advising MFSA-licensed entities since 2004.

Get a Scope and Fee Estimate

Free consultation. No obligations.

Established

Practice

Extensive

Regulatory Experience

Proven

Track Record

MFSA

Licensed & Regulated

Your Contacts

Andrew Fenech

Andrew Fenech

Business Development Manager

Adrian Pavia Dimech

Adrian Pavia Dimech

Audit Principal

Tatiana Muscat

Tatiana Muscat

Audit Manager

Warranted by the Malta Accountancy Board

ACCA & MIA Certified Professionals

Corporate Member of FinanceMalta, MIT & IFSP

Fully GDPR & AMLD-Compliant

Fix Compliance Gaps on Your Terms — Not Under Regulatory Pressure

A compliance audit is a systematic review that verifies whether your organisation meets its legal, regulatory and internal policy obligations. In Malta, this covers a broad range of requirements — from AML/CFT obligations under the Prevention of Money Laundering Act (Cap. 373) to MFSA licensing conditions, tax compliance and internal governance frameworks.

The distinction from a statutory audit is important. A statutory audit examines whether your financial statements present a true and fair view. A compliance audit examines whether your processes, controls and procedures meet the rules that apply to your business. The two serve different purposes, and one does not replace the other.

Malta’s position as an EU financial services hub means regulatory expectations are high. The FIAU uses its CASPAR risk-assessment system to prioritise supervisory examinations, and MFSA conducts AML reviews on the FIAU’s behalf for licensed entities. Companies that wait for a regulatory inspection to discover their gaps tend to face steeper penalties and longer remediation timelines than those that identify issues proactively.

Four Audit Types, One Engagement: AML, Regulatory, Tax and Internal

AML/CFT Compliance Audit

Reviews your adherence to the Prevention of Money Laundering Act (Cap. 373) and the PMLFTR. Covers customer due diligence, suspicious transaction reporting, beneficial ownership verification, risk assessments and staff training. Required for all subject persons: financial institutions, accountants, auditors, company service providers, lawyers involved in financial transactions, and real estate agents.

MFSA Regulatory Compliance Audit

Examines adherence to MFSA licensing conditions and sector-specific rules. Covers governance frameworks, compliance officer functions, internal controls, the Three Lines Model and regulatory reporting. Required for investment firms, banks, insurance intermediaries, payment institutions, VFA service providers and collective investment schemes.

Tax Compliance Audit

Verifies corporate income tax, VAT, provisional tax and transfer pricing obligations. Since January 2024, companies with cross-border intra-group transactions must maintain transfer pricing documentation under S.L. 123.207. The Commissioner for Revenue conducts proactive audits targeting discrepancies, unusual transactions and sectors under increased scrutiny.

Internal Compliance Audit

Assesses internal policies, procedures and controls against your own operational standards. Mandatory for larger MFSA-licensed entities with complex operations. Provides the Board with independent assurance that internal frameworks are working as intended.

Three Audits, Three Purposes — Most Malta Companies Need More Than One

Understanding the differences helps you determine which reviews your entity actually requires.

AspectCompliance AuditStatutory AuditInternal Audit
Primary focusAdherence to laws, regulations, AML/CFT obligationsAccuracy of financial statementsEffectiveness of internal controls
Legal basisPMLA (Cap. 373), MFSA Rules, sector regulationsCompanies Act (Cap. 386), Income Tax Management ActMFSA requirements for licensed entities
ScopeCDD, STR, risk assessments, governance, regulatory reportingFinancial reporting, accounting standards, true and fair viewRisk management, governance frameworks, internal processes
Who needs itMFSA-licensed entities, AML subject personsMost Malta limited liability companiesMFSA-licensed entities with significant operational scale
Typical frequencyAnnual or risk-based (every 1–3 years)AnnualAnnual or semi-annual for high-risk areas

MFSA-licensed entities typically require all three audit types. The Three Lines Model places business operations first, compliance and risk oversight second, and internal audit third.

What Non-Compliance Actually Costs: FIAU and MFSA Penalty Ranges

Regulators have clear penalty frameworks. The cost of a compliance audit is a fraction of a single breach penalty.

Violation TypeAuthorityPenalty Range
AML breach (standard)FIAU€1,000 – €46,500 per breach
AML breach (serious/systematic)FIAUCumulative penalties, criminal prosecution
Director or MLRO personal liabilityFIAUAdministrative penalties under Reg. 21(7) PMLFTR
MFSA regulatory breachMFSAScoring matrix — up to €72,000+ per breach
VAT late registrationCommissioner for RevenueUp to €250 or 20% of excess output tax
Tax fraud or evasionCommissioner for RevenueCriminal penalties and imprisonment

Sources: FIAU Enforcement Factsheet 2021/2022; MFSA Guidance Note on Administrative Penalties methodology. Multiple breaches in a single examination can result in cumulative penalties well above the per-breach maximum.

A proactive compliance audit costs a fraction of a single FIAU penalty. Find out where you stand.

Get My Compliance Review

Is Your Entity Required to Undergo a Compliance Audit?

Mandatory for MFSA-licensed entities: Investment services firms (Category 2 and 3 licence holders), credit institutions, insurance companies and intermediaries, payment institutions, e-money issuers, VFA service providers, company service providers and collective investment schemes.

Mandatory for AML subject persons: Accountants and auditors conducting relevant activity, lawyers and notaries involved in financial or property transactions, real estate agents, trust service providers, and casinos and gaming operators.

Recommended for: Companies preparing for MFSA or FIAU inspections, entities undergoing M&A transactions or capital raises, businesses expanding into new regulated activities, and any organisation that wants to identify compliance gaps before a regulator does.

Even companies not legally required to undergo a compliance audit benefit from periodic reviews. A voluntary audit demonstrates a proactive compliance culture — something regulators specifically look for during examinations.

From Scoping to Remediation: What Happens in Four Stages

Our compliance audit follows a structured methodology aligned with FIAU and MFSA supervisory processes.

01

Scoping and Regulatory Mapping

We identify which regulations apply to your entity — PMLA, MFSA licensing conditions, tax rules, GDPR — and assess high-risk areas. You receive a detailed scope document and timeline before fieldwork begins.

02

Fieldwork and Testing

Our team reviews your CDD files, STR processes, risk assessments, governance frameworks and internal controls. We test samples of customer files, interview key staff and evaluate your compliance systems against regulatory expectations.

03

Reporting and Risk Rating

Findings are classified by severity — critical, high, medium and low. You receive a detailed report with evidence, root cause analysis and specific recommendations, not generic observations.

04

Remediation and Follow-Up

We help you build a corrective action plan with clear timelines and responsible parties. Where needed, we conduct follow-up testing to confirm that changes are working before your next regulatory examination.

Start With a Scoping Call

Audit, Fix and Prove It — Before the Regulator Arrives

Walk Into FIAU Examinations Prepared

Your audit is conducted by professionals who regularly prepare MFSA-licensed entities for FIAU examinations across investment services, insurance, payments and VFA. You get findings calibrated to what examiners actually look for.

A Remediation Plan You Can Implement Immediately

Every finding comes with a severity rating, root cause analysis and a specific remediation recommendation. No generic checklists — you get a plan with clear owners and timelines ready to execute.

Go From Gaps to Audit-Ready in One Engagement

You are supported from initial findings through remediation to follow-up testing. By the time the regulator arrives, your corrective actions are documented and verified — not still in progress.

One Engagement Instead of Three Separate Firms

AML/CFT, MFSA regulatory and tax compliance reviewed together in a single coordinated engagement. Less duplication, lower total cost, and no gaps between audit scopes.

Get My Audit Scope

Compliance Audit Malta: What Directors and MLROs Ask Us

A compliance audit reviews whether your organisation meets its legal, regulatory and policy obligations — covering AML processes, governance frameworks, regulatory reporting and internal controls. A statutory audit examines whether your financial statements present a true and fair view under accounting standards. Both may be required, but they serve different purposes and one does not replace the other.
Compliance audits are mandatory for MFSA-licensed entities (investment firms, banks, insurance companies, VFA providers, company service providers) and for AML subject persons under the Prevention of Money Laundering Act. This includes accountants, auditors, lawyers involved in financial transactions, real estate agents and trust service providers. Companies preparing for regulatory inspections or M&A transactions also benefit from voluntary compliance reviews.
MFSA-licensed entities should conduct annual internal compliance reviews. FIAU and MFSA inspections follow a risk-based schedule, typically every one to three years. AML subject persons with significant risk exposure should budget for annual or bi-annual compliance audits. At a minimum, conduct a compliance review whenever regulations change, your business model evolves or you receive notice of an upcoming regulatory examination.
Common triggers include risk-based supervisory reviews, suspicious activity detected in the financial system, complaints from customers or counterparties, random selection as part of routine supervision, failure to maintain updated compliance documentation, expansion into new regulated activities, and unresolved findings from previous inspections.
The FIAU can impose administrative penalties of €1,000 to €46,500 per breach for standard violations. Serious, repeated or systematic breaches attract higher cumulative penalties. Directors and Money Laundering Reporting Officers face personal liability under Regulation 21(7) of the PMLFTR. Criminal prosecution is possible for the most serious cases.
Costs vary depending on entity size, audit scope and the quality of existing documentation. A small company AML audit typically runs €3,000 to €8,000. Mid-size MFSA-licensed entities should expect €10,000 to €25,000. Complex multi-licence financial institutions can reach €30,000 to €100,000 or more. We provide a fixed-fee quote after an initial scoping discussion.
It depends on the specific engagement and applicable independence rules. In many cases, a single firm can perform both, provided there are no conflicts of interest and the engagement complies with MFSA independence requirements. For MFSA-licensed entities, the compliance audit function must be independent from the activities it reviews. During our scoping discussion, we assess whether any independence constraints apply to your entity and advise accordingly.
A small company AML audit typically takes two to four weeks. Mid-size company regulatory audits run four to eight weeks. Complex MFSA-licensed entities may require eight to sixteen weeks or more. The biggest variable is the quality of your existing documentation — well-organised records shorten every phase.
An MLRO oversees your organisation’s AML/CFT systems, acts as the focal point for AML enquiries and reports suspicious transactions to the FIAU. All MFSA-licensed entities and AML subject persons must appoint an MLRO. The role requires sufficient seniority, relevant AML/CFT experience, freedom from conflicts of interest, and prior approval from MFSA for licensed entities.
Typical documents include customer due diligence files, risk assessments, AML/CFT policies and procedures manuals, suspicious transaction reports, staff training records, beneficial ownership verification documents, compliance officer reports to the Board, regulatory reporting submissions and business continuity plans.
Yes, and it is one of the most effective ways to prepare. A voluntary audit lets you identify and fix gaps on your own terms, demonstrate a proactive compliance culture to regulators, and reduce the risk of penalties during the actual examination. We recommend conducting a voluntary review whenever you receive notice of an upcoming inspection or at least annually for MFSA-licensed entities.
You develop a remediation plan with timelines and responsible parties, implement corrective actions such as updated policies and enhanced controls, then conduct follow-up testing to confirm the changes are effective. If issues are found during a regulatory inspection, the FIAU or MFSA will issue a remediation directive with a specified timeframe, typically three to six months for significant findings.
Statutory audit exemption under the Companies Act relates only to financial statement audits. If your company is a subject person under AML legislation — for example, a company service provider, accounting firm or real estate agency — AML compliance requirements apply regardless of company size. The two obligations are separate.
Get Answers for My Entity

Find Out Where Your Compliance Stands — Before a Regulator Does

Tell us about your entity and the regulations that apply to your business. We will outline the scope of a compliance audit, provide a fee estimate and explain what to expect. No obligation — we typically respond within one working day.

You will speak with

Andrew Fenech

Andrew Fenech

Business Development Manager

Adrian Pavia Dimech

Adrian Pavia Dimech

Audit Principal

Tatiana Muscat

Tatiana Muscat

Audit Manager

  • Free initial consultation
  • Response within 24 hours
  • No obligations whatsoever

Or reach us directly

+356 2703 7012info@borggalea.com

Please fill in all required fields marked with *.

We'll respond within one business day.